From b4aea1680b0327d824ca6a0231119ac32bb39646 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 4 Jun 2005 00:59:39 +0000 Subject: [PATCH] Back out Crossbeam documentaiton Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2222 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 118 ++++++++---------------------------- Shorewall2/releasenotes.txt | 28 +-------- Shorewall2/shorewall.conf | 28 --------- 3 files changed, 26 insertions(+), 148 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 539171dbc..25633f900 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1512,14 +1512,6 @@ deleteallchains() { run_iptables -X } -# Create rules to accept traffic into the crossbeam backbone -# -addcrossbeamrules() { - run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT - run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT - run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT -} - ## # Source a user exit file if it exists # @@ -1805,62 +1797,26 @@ stop_firewall() { [ -n "$DISABLE_IPV6" ] && disable_ipv6_1 - if [ -z "$CROSSBEAM" ]; then - - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - deleteallchains - else - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - + if [ -z "$ADMINISABSENTMINDED" ]; then + for chain in INPUT OUTPUT FORWARD; do + setpolicy $chain DROP + done + + deleteallchains else + for chain in INPUT FORWARD; do + setpolicy $chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain ACCEPT - done - - deleteallchains - addcrossbeamrules - - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - else - for chain in INPUT FORWARD; do - setpolicy $chain ACCEPT - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - addcrossbeamrules - - for chain in INPUT FORWARD; do - setcontinue $chain - done - - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - fi + for chain in INPUT FORWARD; do + setcontinue $chain + done fi - + hosts= [ -f $TMP_DIR/routestopped ] || strip_file routestopped @@ -6517,36 +6473,15 @@ initialize_netfilter () { exists_OUTPUT=Yes exists_FORWARD=Yes - if [ -z "$CROSSBEAM" ]; then - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP - deleteallchains + deleteallchains - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - - else - - setpolicy INPUT ACCEPT - setpolicy OUTPUT ACCEPT - setpolicy FORWARD ACCEPT - - deleteallchains - addcrossbeamrules - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - fi + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT f=$(find_file ipsets) @@ -8119,8 +8054,6 @@ do_initialize() { RESTOREBASE= TMP_DIR= - CROSSBEAM= - CROSSBEAM_BACKBONE= ALL_INTERFACES= ROUTEMARK_INTERFACES= ROUTEMARK=256 @@ -8319,9 +8252,6 @@ do_initialize() { DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) - # Check if we are on a crossbeam machine - CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM) - [ -z "$CROSSBEAM_BACKBONE" ] && CROSSBEAM_BACKBONE=eth0 # # Strip the files that we use often # diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 5a4661316..129de5222 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -328,31 +328,7 @@ New Features in version 2.4.0 GATEWAY The gateway that the packet is to be forewarded through. -5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at - eneotecnologia.com) - - If Shorewall is running in a Crossbeam System - (www.crossbeamsystems.com) you need to activate this directive if - you don't want the CPM to think the system is down and send a reset - signal. Also Crossbeam has a backplane chassis that needs to be - configured in such a way that it accepts all traffic. - - This change adds two new options in /etc/shorewall/shorewall.conf: - CROSSBEAM and CROSSBEAM_BACKBONE. - - If CROSSBEAM=Yes, then during a Shorewall start, restart or clear - instead of setting the default policies to DROP and then activating - established connections, Shorewall will first set the default - policies to ACCEPT, activate established connections and then set - the default policies to DROP. After that, Shorewall starts - generating the rules as usual. - - If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set - to Yes, CROSSBEAM_BACKBONE indicates the device used by the - backbone. If not specified or if specified as empty (e.g., - CROSSBEAM="") then CROSSBEAM=No is assumed. - -6) Normally when Shorewall is stopped, starting or restarting then +5) Normally when Shorewall is stopped, starting or restarting then connections are allowed from hosts listed in /etc/shorewall/routestopped to the firewall and to other hosts listed in /etc/shorewall/routestopped. @@ -367,7 +343,7 @@ New Features in version 2.4.0 host. When 'source' is specified in an entry, it is unnecessary to also specify 'routeback'. -7) This change was implemented by Lorenzo Martignoni. It provides two +6) This change was implemented by Lorenzo Martignoni. It provides two new commands: "safe-start" and "safe-restart". safe-start starts Shorewall then prompts you to ask you if diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index bda5ca409..7df925578 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -816,34 +816,6 @@ MACLIST_TTL= SAVE_IPSETS=No -# -# CROSSBEAM SUPPORT -# -# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) -# you need to activate this directive if you don't want the CPM to think -# the system is down and send a reset signal during firewall restarts. Also -# Crossbeam has a backplane chassis that needs to be configured in such a -# way that accepts all traffic. -# -# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead -# of setting the default policies to DROP and then activating established -# connections, Shorewall will first set the default policies to ACCEPT, -# activate established connections and then set the default policies to -# DROP. After that, Shorewall starts generating the rules as usual. -# -# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to -# Yes, CROSSBEAM_BACKBONE will indicate the device used by the backbone. -# -# If not specified or if specified as empty (e.g., CROSSBEAM="") then -# CROSSBEAM=No is assumed. -# -# FIXME: This needs to be replaced by better generalised routestopped -# support. -# - -CROSSBEAM=No -CROSSBEAM_BACKBONE=eth0 - ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################